WordPress Single Sign-On (SSO) using Google Apps / G Suite as IDP
Enable G Suite Google Apps as your identity provider (IDP) for WordPress to enable Single Sign On (SSO) using the WP Cloud SSO plugin.
This setup guide will explain the steps to set Google Apps as your IDP and allow SSO for your WordPress users, Map Gsuite/Google App users to WordPress roles and enable the single sign on experience at the same time securing access to WordPress.
1.) Setup G Suite/ Google Apps as IDP for WordPress
To configure G Suite/Google Apps as IdP please follow the steps below:
In the WP Cloud SSO plugin, go to Service Provider Metadata section, where you find the SP metadata, such as SP Entity ID and ACS ( AssertionConsumerService) URL which are necessary to configure the Identity Provider;
Go to the Apps tab on the left menu and click on Web and mobile apps.
Click on Add App button. In the dropdown select Add CustomSAML app tab to create a new saml app.
Click on the Continue button;
On the next step click on the Continue button;
Insert into ACS URL field value from ACS URL field of the Service Provider Metadata page of the plugin;
Insert into Entity ID field value from Entity ID field of the Service Provider Metadata page of the plugin;
Select Name ID format as EMAIL;
Select Name ID as Primary email;
Click on the Continue button;
Click on the Finish button;
On the main page of the created saml application click on the OFF for everyone;
Select Service status as ON for everyone;
Click on the Save button;
2.) Configure WordPress as SP
In the WordPress WP Cloud SSO plugin, go to the Identity Provider Setup tab of the plugin.
There are 2 ways to configure the WordPress SSO plugin:
Free Plan
Premium/Enterprise Plans
Free Plan
Manual Google Apps IDP configuration:
Navigate to the configured saml application in the google admin console;
Click on the Download Metadata button;
Navigate to the Identity Provider Setup page of plugins;
Select Google Apps Identity Provider;
Enter Identity Provider Name;
Insert values from Google AppsDownload Metadata window as on the screenshot below;
Click on the Save button;
Click on the Test Configuration button;
See that the Google Apps identity provider successfully configured;
Premium/Enterprise Plans
Upload Google Apps IDP Federation Metadata XML File:
Note: This upload feature is only available to paid plans.
Navigate to the configured saml application in the google console;
Click on the Download Metadata button;
In the modal window click on the Download Metadata button;
After which will be downloaded Google Apps metadata file to your computer;
Navigate to the Identity Provider Setup page of the Plugin;
Select Google Apps Identity Provider;
Open Upload IDP Metadata tab;
Enter the Identity Provider Name and choose download file from Google Apps IDP;
Click on the Upload button;
Click on the Test Configuration button;
See that the Google Apps identity provider is successfully configured;
3.) Google Apps Attribute Mapping
Note: Attribute mapping feature is only available to paid plans.
Navigate to the saml application configured in previous steps in the Google Administration;
Click on the Configure SAML attribute mapping button;
Select the necessary attributes and click on the Save button;
Navigate to the Identity Provider Setup page of Plugin;
Select configured Google Apps identity provider;
Click on the Test Configuration button;
Login via Google Apps account;
See that attributes was successfully fetched from Google Apps
Go to the Attribute/Role Mapping page of the plugin;
Insert the received attributes from Google Apps IDP to the necessary field of the Attribute mapping section related to default WordPress user attributes;
Click on the Save button;
Congratulations! You successfully setup attribute mapping for the firstName, lastName attributes from Google Apps IDP. After login via Google Apps identity provider to WordPress user attributes firstName, lastName will be successfully mapped to users. Repeat this setup to other necessary attributes;
4.) Google Maps Role Mapping
WordPress has 7 pre-defined roles :
Administrator
Editor
Author
Contributor
Subscriber
Customer
To configure default role mapping please follow the steps below:
Go to the Attribute/Role Mapping page of Plugin;
In the Role Mapping section select one necessary role of the WordPress predefined roles;
Click on the Save button;
To configure multiple group mapping based on groups membership follow steps below:
Note: Multiple mapping feature is only available to paid plans.
First of all, you need to configure receiving Group attribute (this attribute received all user groups) from Google Apps;
Go to the configured saml application in Google Administration;
Select the necessary groups to receiving in the Group membership section;
Enter App Attribute as groups;
Click on the Save button;
Go back to the Identity Provider Setup page of the Plugin;
Select the configured Google Apps Identity provider;
Click on the Test Configuration button;
See that group attributes were successfully fetched;
In the next step go to the Attribute Mapping page of the Plugin;
Insert target Group attribute as source Group attribute from Google Apps;
Click on the Save button in the Attribute Mapping section;
Insert the value of the target Group attribute from Google Apps to the necessary role of WordPress;
Click on the Save button in the Role Mapping section;
After this, all users who have group attributes with administrators value will be assigned to the Administrator role in WordPress, and all users who have group value as editors will be given the Editor role. If a user has multiple groups as in the screenshot below, the user will be assigned to the first founded role. In the case of a screenshot, the user will be given the Administrator role.
6.) Google SSO Login Button - Redirect to IDP
Next is to enable your Google Apps / Gsuite SSO login buttons, which can be found on the SSO Links tab. Follow the SSO Login Widget page for instructions on setting up.